NSM On-Prem Reporting Server configuration

NSM On-Prem Reporting server can be configured separately, no matter if firewalls are added to NSM server with Zero Touch or manual way.
After configuring Reporting server in NSM, when adding a firewall to NSM, NSM will push Reporting server configuration to firewall.

Reporting server configuration in NSM On-Prem is under System/Deployment/Nodes:

There are two scenarios when adding a firewall to NSM On-Prem: there is site to site VPN between NSM On-Prem server and the firewall, and there is no such VPN between them.

In the scenario there is no site to site VPN, NSM Reporting server IP will be the same as NSM public IP.

In the scenario there is site to site VPN, NSM Reporting server IP will still be the same as NSM public IP, even the firewall is added to NSM using its private IP over VPN.

In both cases, NSM On-Prem will have its perimeter firewall forwarding UDP port 16001 traffic from WAN to NSM On-Prem server for reporting data. Here is a KB on how to configure port forwarding to internal server like NSM server:
https://www.sonicwall.com/de-de/support/knowledge-base/how-can-i-enable-port-forwarding-and-allow-access-to-a-server-through-the-sonicwall/kA1VN0000000OvH0AU

Notes:

Firewalls send Reporting and Analytics data using appFLow protocol over port 16001. The appFlow packets are encrypted and sent to NSM On-Prem server out of firewall WAN interface. Egressing Reporting and Analytics data over a VPN tunnel is no longer supported in NSM On-Prem/SaaS for the GEN7 firewall running with SonicOS 7.0.1 or higher. This is due to sending encrypted Reporting and Analytics data through a VPN tunnel results in double encryption.